[CLOSE] OSVDB ID : 10414 - Disclosed: 2004-09-27

Description:

WordPress contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 's' variables upon submission to the 'edit.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 69242 - Disclosed: 2010-11-13

Description:

WordPress Event Registration Plugin contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the Events Page not properly sanitizing user-supplied input to the 'event_id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 74490 - Disclosed: 2011-05-25

Description:

(Description Provided by CVE) : The file upload functionality WordPress 3.1 before 3.1.3 and 3.2 before Beta 2, when running "on hosts with dangerous security settings," has unknown impact and attack vectors, possibly related to dangerous filenames.

[CLOSE] OSVDB ID : 63179 - Disclosed: 2010-03-09

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 55714 - Disclosed: 2009-07-08

Description:

(Description Provided by CVE) : The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."

[CLOSE] OSVDB ID : 52211 - Disclosed: 2008-02-16

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 52209 - Disclosed: 2008-02-15

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 31274 - Disclosed: 2006-11-11

Description:

WordPress has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to the functions.php script not properly sanitizing user input supplied to the 'file' variable. However, subsequent examination indicates the variable is set prior to an attacker being able to manipulate input.

[CLOSE] OSVDB ID : 55716 - Disclosed: 2009-07-08

Description:

(Description Provided by CVE) : WordPress 2.7.1 places the username of a post's author in an HTML comment, which allows remote attackers to obtain sensitive information by reading the HTML source.

[CLOSE] OSVDB ID : 74488 - Disclosed: 2011-05-25

Description:

(Description Provided by CVE) : WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rendering for (1) admin or (2) login pages inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.

[CLOSE] OSVDB ID : 64761 - Disclosed: 2010-05-20

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 19634 - Disclosed: 2005-08-27

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 53612 - Disclosed: 2004-12-21

Description:

WordPress contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'm' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 33458 - Disclosed: 2007-01-12

Description:

(Description Provided by CVE) : WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL information such as the table prefix.

[CLOSE] OSVDB ID : 27008 - Disclosed: 2006-07-02

Description:

(Description Provided by CVE) : index.php in WordPress 2.0.3 allows remote attackers to obtain sensitive information, such as SQL table prefixes, via an invalid paged parameter, which displays the information in an SQL error message. NOTE: this issue has been disputed by a third party who states that the issue does not leak any target-specific information.

[CLOSE] OSVDB ID : 39518 - Disclosed: 2007-12-14

Description:

WordPress contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when accessing the 'index.php' script, which will disclose draft posts before they have been published resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 70234 - Disclosed: 2010-12-30

Description:

WordPress contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain input containing protocol strings in the KSES library before use. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 12618 - Disclosed: 2004-12-16

Description:

WordPress contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the 'link-add.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12619 - Disclosed: 2004-12-16

Description:

WordPress contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'cat_id' variables upon submission to the 'link-categories.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 12620 - Disclosed: 2004-12-16

Description:

WordPress contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the 'link-manager.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 4611 - Disclosed: 2003-06-02

Description:

WordPress contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'links.all.php' script not properly sanitizing user input supplied to the 'abspath' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 55713 - Disclosed: 2009-07-08

Description:

WordPress contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered by different responses to failed logins for nonexistent and valid accounts, which will disclose valid usernames to a remote attacker.

[CLOSE] OSVDB ID : 74485 - Disclosed: 2011-05-25

Description:

(Description Provided by CVE) : Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Media security."

[CLOSE] OSVDB ID : 17639 - Disclosed: 2005-06-29

Description:

(Description Provided by CVE) : WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1" value in the feed parameter to (2) wp-atom.php, (3) wp-rss.php, or (4) wp-rss2.php, which reveal the path in an error message. NOTE: vector [1] was later reported to also affect WordPress 2.0.1.

[CLOSE] OSVDB ID : 12622 - Disclosed: 2004-12-16

Description:

WordPress contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'item_approved' variables upon submission to the 'moderation.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 48700 - Disclosed: 2008-09-08

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 41134 - Disclosed: 2008-02-05

Description:

(Description Provided by CVE) : wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins.

[CLOSE] OSVDB ID : 48635 - Disclosed: 2008-09-29

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in wp-admin/wp-blogs.php in Wordpress MU (WPMU) before 2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) s and (2) ip_address parameters.

[CLOSE] OSVDB ID : 52814 - Disclosed: 2009-03-10

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in the choose_primary_blog function in wp-includes/wpmu-functions.php in WordPress MU (WPMU) before 2.7 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.

[CLOSE] OSVDB ID : 31579 - Disclosed: 2007-01-05

Description:

WordPress contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the wp-trackback.php script not properly sanitizing user-supplied input to the 'p' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.